PHP Security Issues

Source Text from blog Phantom Star Soul Https://www.cnblogs.com/xinghun/p/5660846.html

First, SQL injection

SQL injection, by inserting a SQL command into a Web form to submit or entering a query string for a domain name or page request, eventually achieves a malicious SQL command that deceives the server. Specifically, it is the ability to inject (malicious) SQL commands into the background database engine execution using existing applications, which can be obtained by entering (malicious) SQL statements in a Web form to a database on a Web site that has a security vulnerability, rather than executing the SQL statement as the designer intended. For example, many of the previous film and television sites leaked VIP membership password is mostly through the Web form to submit query characters, such forms are particularly vulnerable to SQL injection attacks.

For example:

<form action= "sqlzhuru.php" method= "POST" ><input type= "text" name= "UID"/><input type= "Submit" value= " Submit "/></form>

sqlzhuru.php:

<?phpinclude (".. /db.class.php "), $db = new DB (), $uid = $_post[" UID "]; $sql =" SELECT * from users where uid = ' {$uid} ' "; echo $sql; Var_dump ($ Db->query ($sql));

This will allow you to find out all the information and workaround:

1. Manually check whether each piece of data is the correct data type, write a method to filter the submission data

2. The system comes with a method: Mysql_real_escape_string () filter data, but this method will be eliminated in future versions

<?phpinclude (".. /db.class.php "), $db = new DB (), $uid = $_post[" UID "]; $uid = mysql_real_escape_string ($uid); The system comes with a filter method, but it is obsolete $sql = "SELECT * from users where uid = ' {$uid} '"; echo $sql; Var_dump ($db->query ($sql));

3. Using PDO preprocessing

Second, XSS attacks

Cross Site scripting attacks (Scripting), which are not confused with the abbreviations of cascading style sheets (cascading style Sheets, CSS), are abbreviated as XSS for cross-site scripting attacks. A malicious attacker inserts malicious script code into a Web page, and when the user browses to the page, the script code embedded inside the Web is executed to achieve the special purpose of the malicious attacker.

For example:

<form action= "xssgongji.php" method= "POST" ><input type= "text" name= "test"/><input type= "Submit" value = "Submit"/></form>

Processing page:

<?phpinclude (".. /db.class.php "); $db = new DB (); Echo $_post[" test "];

If you open the test page with IE browser:

Because IE does not have the filter method, will pop up the popup window, but like Google, Firefox, 360 and other browsers will block out, will not pop up the popup window.

Workaround:

1. Write a method to mask XSS attacks, filter strings

2. System self-bringing method to solve

View Code

Third, CSRF attack

CSRF (Cross-site request forgery cross-site solicitation forgery, also known as "one click Attack" or Session Riding, usually abbreviated as CSRF or XSRF, is a malicious use of the site. Although it sounds like a cross-site script (XSS), it is very different from XSS and is almost at odds with the way it is attacked. XSS leverages trusted users within the site, while CSRF leverages trusted sites by disguising requests from trusted users. Compared to XSS attacks, csrf attacks are often less prevalent (and therefore have very few resources to protect against them) and are difficult to guard against, so they are considered more dangerous than XSS.

For example:

<?phpsession_start (); $_session["UID"] = "Lisi";? ><form action= "csrfcl.php" method= "get" ><input type= "text" name= "Qian"/><input type= "Submit" value = "Submit"/></form>

Processing page:

<?phpsession_start (); Include (".. /db.class.php "), $db = new DB (), if (Empty ($_session[" UID "])) {    echo" not logged in ";    } else{    $qian = $_get["Qian"];        $sql = "Update login Set account = account-{$qian} where username = ' {$_session[' uid ']} '";    echo $sql;    $db->query ($sql, 1);    }

To open the csrf.php page:

Data in the database:

This get value method will display the submission data in the address bar, without closing the page, then make a page, copy the address in

<body></body>

This request for this page will also change the data in the database:

If you change to post, you can reduce the situation, or you can submit more than one data in a form with hidden fields, for example:

<?phpsession_start (); $_session["UID"] = "lisi"; $str = MD5 ($_session["UID"]);? ><form action= "csrfcl.php" method= "POST" ><input type= "hidden" value= "<?php echo $str?>" Name= "Xinxi "/><input type=" text "name=" Qian "/><input type=" Submit "value=" Submit "/></form>

Processing page:

<?phpsession_start (); Include (".. /db.class.php "), $db = new DB (), if (Empty ($_session[" UID "])) {    echo" not logged in ";    } else{    $uid =md5 ($_session["UID"]);    $str = $_post["Xinxi"];        if ($uid = = $str)    {        $qian = $_post["Qian"];            $sql = "Update login Set account = account-{$qian} where username = ' {$_session[' uid ']} '";        echo $sql;        $db->query ($sql, 1);}    }

However, this approach does not completely avoid CSRF attacks, that is, using MD5 encryption, or someone can solve, the best way is to use the verification code. You do not know how the verification code is generated, and you cannot perform a csrf attack.

SQL injection Simply filters the committed string, and the XSS attack is pre-processed with PDO, and the CSRF attack can be resolved with a verification code.

Some hackers will forge file array uploads, how to Tell: Move_upload_file () can determine whether the real files.

After doing the project, the safety of the place must be cautious, do not easily believe that users upload or submit any data, must be handled correctly.

PHP Security Issues